US10432421B2 - Communication control device and communication system - Google Patents

Communication control device and communication system Download PDF

Info

Publication number
US10432421B2
US10432421B2 US15/527,826 US201515527826A US10432421B2 US 10432421 B2 US10432421 B2 US 10432421B2 US 201515527826 A US201515527826 A US 201515527826A US 10432421 B2 US10432421 B2 US 10432421B2
Authority
US
United States
Prior art keywords
message
transmission
time point
hash value
circuit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/527,826
Other languages
English (en)
Other versions
US20170324579A1 (en
Inventor
Hiroaki Takada
Ryo Kurachi
Naoki Adachi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nagoya University NUC
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Original Assignee
Nagoya University NUC
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nagoya University NUC, Sumitomo Wiring Systems Ltd, AutoNetworks Technologies Ltd, Sumitomo Electric Industries Ltd filed Critical Nagoya University NUC
Assigned to AUTONETWORKS TECHNOLOGIES, LTD., SUMITOMO ELECTRIC INDUSTRIES, LTD., SUMITOMO WIRING SYSTEMS, LTD., NATIONAL UNIVERSITY CORPORATION NAGOYA UNIVERSITY reassignment AUTONETWORKS TECHNOLOGIES, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TAKADA, HIROAKI, KURACHI, RYO, ADACHI, NAOKI
Publication of US20170324579A1 publication Critical patent/US20170324579A1/en
Application granted granted Critical
Publication of US10432421B2 publication Critical patent/US10432421B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40143Bus networks involving priority mechanisms
    • H04L12/40163Bus networks involving priority mechanisms by assigning priority to messages according to a message field
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40052High-speed IEEE 1394 serial bus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40143Bus networks involving priority mechanisms
    • H04L12/40156Bus networks involving priority mechanisms by using dedicated slots associated with a priority level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Definitions

  • the present disclosure relates to a communication system in which multiple communication devices transmit and receive messages such as a controller area network (CAN) for example, and to a communication control device detecting invasion of the system by an invalid message.
  • CAN controller area network
  • the CAN communication protocol has widely been employed in communication between multiple electronic control units (ECU) mounted in a vehicle.
  • a communication system employing the CAN communication protocol is so configured that multiple ECUs are connected to a common CAN bus, and transmission and reception of messages are performed by an ECU at the reception side obtaining a signal output by an ECU at the transmission side to the CAN bus.
  • Japanese Patent Application Laid-Open Publication No. 2013-38711 has proposed a communication management device for a vehicle network which restricts the input of external data.
  • the communication management device monitors data on a CAN bus as well as data input from the outside, and if the activity rate of the CAN bus exceeds a load reference value or is predicted to exceed the load reference value along with the transfer of external data, executes transmission control of external data.
  • a malicious device is connected to the CAN bus.
  • Such a device may, for example, transmit an invalid message to the CAN bus to cause a normal ECU or the like connected to the CAN bus to malfunction.
  • the communication management device described in Japanese Patent Application Laid-Open Publication No. 2013-38711 is configured to determine whether or not the activity rate of the CAN bus exceeds the load reference value, a problem arises in that transmission control cannot be carried out in the case where the amount of message transmission by a malicious device is small.
  • the present disclosure has been made in view of the above circumstances, and aims to provide a communication control device and a communication system capable of detecting any message transmitted by an invalid device to a common communication line.
  • the reference time point decision part and the permission period decision part are to decide the reference time point and the permission period for each of the plurality of communication devices.
  • the message transmitted by the communication device includes information indicating a priority level of the message
  • the permission period decision part is configured to decide the permission period for each priority level of the message.
  • the communication control device comprising arbitration unit arbitrating a transmission order according priority levels respectively determined for messages transmitted by a plurality of communication devices if the messages collide against each other, wherein the transmittability determination part is configured to inspect a priority level of a message completed to be transmitted in a period from the scheduled transmission time point related to a determination target message to completion of transmission of the determination target message, and to determine that transmission of the determination target message is not permitted if a message with a priority level lower than a priority level of the determination target message is present.
  • the transmittability determination part is configured to determine, if a message non-transmission period exceeding a predetermined length is present in a period from the scheduled transmission time point related to a determination target message to completion of transmission of the determination target message, that transmission of the determination target message is not permitted.
  • the communication control device comprising: a hash value request part sending a calculation request for a hash value to the communication device; a hash value reception part receiving a hash value transmitted by the communication device as a response to the calculation request; and a hash value determination part determining whether or not the hash value received by the hash value reception part is correct, wherein the reference time point decision part is configured to decide the reference time point based on a time point when reception of a correct hash value from the communication device is completed.
  • the communication control device comprising a discard processing part performing processing of causing the communication device, receiving a message determined by the transmittability determination part that transmission of the message is not permitted, to discard the message.
  • a communication system comprising a plurality of communication devices transmitting and receiving messages to/from each other, and a communication control device controlling communication performed by the communication devices, wherein each communication device includes a message transmission part periodically transmitting messages, and the communication control device includes: a reference time point decision part deciding a reference time point concerning message transmission by the message transmission part; a permission period decision part deciding that a predetermined period including a scheduled transmission time point obtained by adding a period corresponding to an integer multiple of a cycle of message transmission by the message transmission part to the reference time point decided by the reference time point decision part is a permission period for message transmission; a message detection part detecting the message transmitted by a communication device; and a transmittability determination part determining transmittability of a message detected by the message detection part in accordance with whether or not the message is transmitted during the permission period decided by the permission period decision part.
  • the reference time point decision part and the permission period decision part are configured to decide the reference time point and the permission period for each of the plurality of communication devices.
  • the message transmitted by the plurality of communication devices includes information indicating a priority level of the message
  • the permission period decision part is configured to decide the permission period for each priority level of the message.
  • the communication system comprising arbitration unit arbitrating a transmission order according priority levels respectively determined for messages transmitted by the plurality of communication devices if the messages collide against each other, wherein the transmittability determination part is configured to inspect a priority level of a message completed to be transmitted in a period from the scheduled transmission time point related to a determination target message to completion of transmission of the determination target message, and to determine that transmission of the determination target message is not permitted if a message with a priority level lower than a priority level of the determination target message is present.
  • the transmittability determination part is configured to determine, if a message non-transmission period exceeding a predetermined length is present in a period from the scheduled transmission time point related to a determination target message to completion of transmission of the determination target message, that transmission of the determination target message is not permitted.
  • the communication control device includes: a hash value request part sending a calculation request for a hash value to a communication device; a hash value reception part receiving a hash value transmitted by the communication device as a response to the calculation request; and a hash value determination part determining whether or not the hash value received by the hash value reception part is correct, wherein each communication device includes: a hash value calculation part calculating a hash value in accordance with a calculation request from the communication control device; and a hash value transmission part transmitting the hash value calculated by the hash value calculation part to the communication control device, and wherein the reference time point decision part is configured to decide the reference time point based on a time point when reception of a correct hash value from the communication device is completed.
  • the message transmission part is configured to decide a reference time point based on the time point when transmission of a correct hash value from the hash value transmission part is completed, and to periodically transmit messages with the decided time point set as a reference.
  • the communication control device includes a discard processing part performing processing of causing a communication device, receiving a message determined by the transmittability determination part that transmission of the message is not permitted, to discard the message.
  • the communication system having a configuration in which a plurality of communication devices are connected to a common communication line and each of the communication devices periodically transmits messages, is provided with a communication control device detecting invalid message transmission.
  • the communication control device monitors a common communication line to detect a message transmitted by a communication device. By determining whether or not the detected message has been transmitted during the permission period described above, the communication control device may determine whether or not this message is invalid and determine whether or not transmission of this message is permitted.
  • the communication control device is configured to decide a permission period for the subsequent message transmission, i.e., configured to decide a permission period on an absolute basis, based on the reference time point decided at the initial stage.
  • a predetermined period including a time point obtained by adding the cycle T to the reception time point of the message is set as a permission period, i.e., that the permission period is decided on a relative basis.
  • arbitration processing is performed if collision occurs in message transmission, and thus a delay may be caused in the transmission of a message having a low priority level.
  • the permission period for determination varies if a delay occurs in message transmission, and therefore it is difficult to shorten the permission period.
  • the permission period for the next message may be decided on the basis of the reception of an invalid message. If such a situation occurs, it is possible that invalid messages are sequentially misjudged as valid messages.
  • the communication control device is able to avoid the occurrence of these problems by deciding a permission period on the absolute basis.
  • the communication control device decides the reference time point individually for each communication device included in the communication system. Moreover, the communication control device decides a permission period for each communication device with respect to its decided reference time point.
  • the message transmission cycle of the communication control device may be different for each communication device. Thus, even in the case where communication devices having different transmission cycles and transmission timings of messages are included in the communication system, the communication control device may determine the transmittability of a message for each communication device.
  • the communication device may transmit different types of messages with different transmission cycles, and the communication control device decides a permission period for each type of message. It is noted that the communication control device may also decide a reference time point for each type of message. Thus, even if one communication device transmits messages having different transmission cycles, the communication control device may determine the transmittability for each type of message.
  • multiple communication devices are connected to the common communication line, which may cause multiple messages to collide against each other on the communication line if the communication devices simultaneously transmit messages.
  • arbitration processing is performed between the communication devices, and the messages are transmitted in the order according to their priority levels. That is, among the collided messages, a message with a high priority level is transmitted first and then a message with a low priority level is transmitted.
  • a message to be periodically transmitted by the communication device may collide against another message and be delayed.
  • the communication control device therefore inspects, for a message to be determined (also referred to as a determination target message or target message), whether or not a different message has been transmitted in a period from the scheduled transmission time point to the completion of the message transmission. In the case where a different message has been transmitted, the communication control device compares the priority level of the determination target message with the priority level of the different message.
  • the communication control device may determine the transmittability of a message.
  • the communication control device determines whether or not a message non-transmission period exceeding a predetermined length is present in a period from a scheduled transmission time point of the target message to the completion of transmission of the message. If the message non-transmission period is present, it is assumed that the delay of the target message is not caused by proper arbitration processing, so that the communication control device will not permit transmission of the target message.
  • a predetermined procedure is performed between the communication control device and the communication device in order to decide the reference time point.
  • the communication control device transmits a calculation request for a hash value to the communication device.
  • the communication control device may send information necessary to calculate a hash value together with a calculation request.
  • the communication device which received a calculation request from the communication control device calculates a hash value using a predetermined hash function based on the information stored in its own memory, and transmits the calculated hash value to the communication control device.
  • the communication control device which received the hash value from the communication device determines whether or not the hash value is correct.
  • the communication control device decides a reference time point based on the time point when the reception of the hash value is completed.
  • the communication device may set the time point when the reception of the correct hash value is completed as a reference time point, or may set the time point obtained by adding or subtracting a predetermined time period to/from the time point when the reception is completed as the reference time point.
  • the communication device decides the reference time point based on the time point when the transmission of the correct hash value is completed, and periodically transmits messages with the decided time point set as the reference.
  • the communication control device may detect an invalid message with high reliability.
  • the communication control device performs the processing of causing the communication device which receives the message to discard the message. This can prevent the communication device from receiving an invalid message and performing processing according to the message.
  • the communication control device is configured to decide a permission period including the time point obtained by adding a period corresponding to an integer multiple of the message transmission period to the reference time point, and to determine whether or not the message transmitted by the communication device is present within the permission period.
  • a message transmitted by an invalid device to a common communication line may precisely be detected.
  • FIG. 1 is a schematic diagram illustrating the configuration of a communication system according to an embodiment of the present disclosure.
  • FIG. 2 is a block diagram illustrating the configuration of an ECU.
  • FIG. 3 is a block diagram illustrating the configuration of a monitoring device.
  • FIG. 4 is a schematic view illustrating the configuration of copy data stored in a storage unit of the monitoring device.
  • FIG. 5 is a schematic view illustrating the configuration of cycle information stored in a storage unit of the monitoring device.
  • FIG. 6 is a schematic view for illustrating invalid message detection processing performed by the monitoring device.
  • FIG. 7 is a schematic view for illustrating determination on a condition related to arbitration processing, performed by a transmittability determination part.
  • FIG. 8 is a schematic view for illustrating determination on a condition related to arbitration processing, performed by the transmittability determination part.
  • FIG. 9 is a schematic view for illustrating determination on a condition related to arbitration processing, performed by the transmittability determination part.
  • FIG. 10 is a schematic view for illustrating determination on a condition related to a message non-transmission period, performed by the transmittability determination part.
  • FIG. 11 is a flowchart illustrating a procedure of message transmittability determination processing performed by the monitoring device.
  • FIG. 12 is a flowchart illustrating a procedure of message transmittability determination processing performed by the monitoring device.
  • FIG. 13 is a schematic diagram for illustrating reference time point decision processing performed between an ECU and the monitoring device.
  • FIG. 14 is a schematic diagram for illustrating reference time point decision processing performed between the monitoring device and multiple ECUs.
  • FIG. 15 is a flowchart illustrating the procedure of reference time point decision processing performed by the monitoring device.
  • FIG. 16 is a flowchart illustrating a procedure of processing performed by an ECU according to a request for calculating a hash value from the monitoring device.
  • FIG. 17 is a flowchart illustrating a procedure of processing performed by an ECU according to a request for confirming a hash value from the monitoring device.
  • FIG. 1 is a schematic diagram illustrating the configuration of a communication system according to an embodiment of the present disclosure.
  • the communication system according to the present embodiment is configured to include multiple ECUs 3 mounted to the vehicle 1 and one monitoring device 5 .
  • the ECUs 3 and the monitoring device 5 are connected with one another via a common communication line installed in the vehicle 1 , and can transmit and receive messages to/from one another.
  • a CAN bus is employed as the communication line, and the ECUs 3 and monitoring device 5 perform communication according to the CAN protocol.
  • the ECUs 3 may be, for example, various electronic control devices such as an engine ECU controlling the engine of the vehicle 1 , a body ECU controlling an electric component of a vehicle body, an ABS-ECU performing control related to an antilock brake system (ABS) or an air bag ECU controlling an air bag of the vehicle 1 .
  • the monitoring device 5 is a device for monitoring invalid message transmission to an in-vehicle network.
  • the monitoring device 5 may be provided as a device dedicated for monitoring, or configured with a monitoring function added to a device such as a gateway for example, or configured with a monitoring function added to any one of the ECUs 3 , for example.
  • FIG. 2 is a block diagram illustrating the configuration of one of the ECUs 3 .
  • the ECU 3 according to the present embodiment is configured to comprise a processing unit (processor) 31 , a read only memory (ROM) 32 , a random access memory (RAM) 33 , a CAN communication unit (transceiver) 34 and so forth.
  • the processing unit 31 is configured with an arithmetic processing device such as a central processing unit (CPU) or a micro-processing unit (MPU).
  • the processing unit 31 reads out and executes a program 32 a stored in the ROM 32 to perform various information processing, control processing or the like concerning the vehicle 1 .
  • the ROM 32 is configured with a non-volatile memory element such as a flash memory or an electrically erasable programmable ROM (EEPROM).
  • EEPROM electrically erasable programmable ROM
  • a program 32 a to be executed by the processing unit 31 and various types of data 32 b required for processing performed thereby are stored.
  • the program 32 a and data 32 b stored in the ROM 32 are different for each ECU 3 .
  • the RAM 33 is configured with a data-rewritable memory element such as a static random access memory (SRAM) or a dynamic random access memory (DRAM).
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • the CAN communication unit 34 performs communication with another ECU 3 or the monitoring device 5 via the CAN bus in accordance with the CAN communication protocol.
  • the CAN communication unit 34 converts information for transmission sent from the processing unit 31 into a signal according to the CAN communication protocol and outputs the converted signal to the CAN bus, to transmit information to another ECU 3 or the monitoring device 5 .
  • the CAN communication unit 34 obtains a signal output by another ECU 3 or the monitoring device 5 by sampling the potential at the CAN bus and receives information by converting the signal into binary information in accordance with the CAN communication protocol, to send the received information to the processing unit 31 .
  • the CAN communication unit 34 performs, in the case where collision occurs between its own message transmission and the message transmission by another ECU 3 or the monitoring device 5 , processing of arbitration as to which message is to be transmitted first, so-called arbitration processing.
  • an ID is determined in advance in accordance with the type of the message.
  • the ID is information treated as a numeric value, and the smaller the value is, the higher the priority for message transmission is. In the communication system, therefore, if transmission of multiple messages are collided against each other on the CAN bus, a message with the highest priority is transmitted, and after the transmission of this message is completed, another message is transmitted. Because the arbitration processing performed by the CAN communication unit 34 is an existing technique, the description of detailed processing procedure thereof will not be described here.
  • the processing unit 31 in the ECU 3 executes the program 32 a to implement a message processing part 41 , a hash value calculation part 42 and the like as software functional blocks. It is to be noted that a part or whole of the message processing part 41 , a hash value calculation part 42 and the like may be implemented as hardware functional blocks.
  • the message processing part 41 periodically performs processing of obtaining information such as information sensed by a sensor or feedback information from equipment to be controlled, creating a message including the obtained information based on the CAN protocol, and transmitting the created message to the CAN bus. It is noted that the transmission cycle of messages is determined for each type of message (i.e., ID), and thus the message processing part 41 may transmit messages at different cycles for each of different types of messages.
  • the hash value calculation part 42 performs processing of calculating a hash value in accordance with a calculation request from the monitoring device 5 .
  • the hash value calculation part 42 calculates a hash value by using a predetermined hash function based on a part or whole of the data stored in the ROM 32 (which may include both the program 32 a and data 32 b ) and a random seed attached to the calculation request from the monitoring device 5 .
  • the detailed procedure of calculating a hash value by the hash value calculation part 42 will be described later.
  • the hash value calculation part 42 transmits the calculated hash value to the monitoring device 5 as a response to the calculation request.
  • FIG. 3 is a block diagram illustrating the configuration of the monitoring device 5 .
  • the monitoring device 5 is configured to include a processing unit (processor) 51 , a storage unit 52 , a CAN communication unit (transceiver) 53 and so forth.
  • the processing unit 51 is configured with an arithmetic processing device such as a CPU or MPU, which performs processing of monitoring the behavior, communication and the like of ECUs 3 in the vehicle 1 by reading out and executing a program stored in the storage unit 52 .
  • the storage unit 52 is configured with a data rewritable non-volatile memory element such as a flash memory or an EEPROM.
  • the storage unit 52 stores therein copy data 52 a obtained by copying the content stored in the ROM 32 of each ECU 3 mounted in the vehicle 1 , and cycle information 52 b related to the transmission cycle of a message transmitted by each ECU 3 .
  • the CAN communication unit 53 performs communication with an ECU 3 via the CAN bus in accordance with the CAN communication protocol.
  • the CAN communication unit 53 converts information for transmission sent from the processing unit 51 into a signal according to the CAN communication protocol and outputs the converted signal to the CAN bus, to transmit information to the ECU 3 .
  • the CAN communication unit 53 obtains a signal output by the ECU 3 by sampling the potential at the CAN bus and receives information by converting the signal into binary information in accordance with the CAN communication protocol, to send the received information to the processing unit 51 .
  • the processing unit 51 in the monitoring device 5 is provided with a reference time point decision part 61 , a permission period decision part 62 , a transmittability determination part 63 , a discard processing part 64 and so forth.
  • the reference time point decision part 61 to the discard processing part 64 may be configured as hardware functional blocks or software functional blocks.
  • the reference time point decision part 61 and the permission period decision part 62 perform processing of deciding, for example, a condition for the monitoring device 5 to detect invalid message transmission.
  • the transmittability determination part 63 performs processing of determining the transmittability of a message output onto the CAN bus, based on the condition decided by the reference time point decision part 61 and the permission period decision part 62 .
  • the discard processing part 64 performs processing of causing the ECU 3 to discard the message so as to prevent the ECU 3 from receiving the message.
  • FIG. 4 is a schematic view illustrating the configuration of copy data 52 a stored in the storage unit 52 of the monitoring device 5 .
  • the monitoring device 5 stores therein the same thing as the content stored in the ROM 32 , as the copy data 52 a .
  • identification information (ECUa, ECUb . . . in FIG. 4 ) uniquely attached to each ECU 3 is stored in association with the content stored in the ROM 32 of each ECU 3 .
  • FIG. 5 is a schematic view illustrating the configuration of cycle information 52 b stored in the storage unit 52 of the monitoring device 5 .
  • the monitoring device 5 stores, as cycle information 52 b , identification information (CAN-ID) attached to the message transmitted and received on the network in the vehicle 1 and the cycle at which the message having the CAN-ID is transmitted in association with each other.
  • CAN-ID identification information
  • the facts that a message with the CAN-ID of 1 has the transmission cycle of 10 ms, that a message with the CAN-ID of 2 has the transmission cycle of 50 ms, and that a message with the CAN-ID of 3 has the transmission cycle of 32 ms are stored for the cycle information 52 b . It is noted that these numeric values are mere examples.
  • the processing of detecting that an invalid message is transmitted onto the CAN bus through which multiple ECUs 3 transmit and receive messages is performed by the monitoring device 5 .
  • an invalid communication device is improperly connected to the CAN bus, and may transmit an invalid message onto the CAN bus.
  • improper alteration or modification is made to any one of the ECUs 3 mounted to the vehicle 1 and this ECU 3 may transmit an invalid message.
  • An invalid communication device may transmit an invalid message with a specific CAN-ID in accordance with the CAN protocol. While a valid CAN-ID utilized in the communication system of the vehicle 1 is used for the CAN-ID attached to such an invalid message, the other data included in the invalid message is invalid data. In the case where an ECU 3 receives an invalid message based on the CAN-ID, the ECU 3 is to perform processing based on invalid data.
  • the communication system according to the present embodiment is to detect an invalid message with a proper CAN-ID attached thereto, a so-called spoofing message.
  • the monitoring device 5 determines whether or not a message to be transmitted periodically is transmitted at correct cycles, to detect an invalid message.
  • FIG. 6 is a schematic view for illustrating invalid message detection processing performed by the monitoring device 5 .
  • the monitoring device 5 decides, for each CAN-ID attached to a message transmitted and received in the communication system, a permission period during which transmission of the message with the CAN-ID is permitted.
  • FIG. 6 illustrates a permission period decided by the monitoring device 5 , for a message with one CAN-ID attached thereto. It is to be noted that the present embodiment does not include a case where one CAN-ID is used by more than one ECUs 3 , i.e., where a message with the same CAN-ID is transmitted by multiple ECUs 3 .
  • the transmission cycle of a message to be monitored by the monitoring device 5 is denoted as T.
  • the reference time point decision part 61 in the monitoring device 5 performs a predetermined procedure with the ECU 3 transmitting the message, to decide the reference time point t 0 of message transmission (details of the processing for deciding the reference time point will be described later).
  • the permission period decision part 62 in the monitoring device 5 obtains a transmission cycle T for a message to be monitored by referring to the cycle information 52 b stored in the storage unit 52 .
  • the permission period decision part 62 sets the time point t 1 obtained by adding the transmission cycle T to the reference time point t 0 as the scheduled transmission time point t 1 for the message.
  • the permission period decision part 62 of the monitoring device 5 decides, as a permission period, a period including the scheduled transmission time point t 1 with the addition of predetermined periods A and B.
  • the period A and period B for deciding the permission period are decided in advance based on a measurement result or the like performed by simulation or by a real machine in the communication system, for example.
  • the same value may be used for all messages, or a different value may be used for each CAN-ID, for example.
  • the period A and the period B may be stored in the cycle information 52 b in association with the CAN-ID.
  • the period A may be decided based on a clock error or the like between the monitoring device 5 and the ECU 3 transmitting the message.
  • the period B is decided in consideration of time by which this message is delayed due to the arbitration processing.
  • the CAN communication unit 53 in the monitoring device 5 monitors transmission of messages to the CAN bus, and if detecting the transmission of a message, notifies the processing unit 51 thereof.
  • the transmittability determination part 63 of the processing unit 51 obtains information related to the CAN-ID of the transmitted message as well as the starting time point or ending time point of message transmission, based on the notification from the CAN communication unit 53 . Furthermore, the transmittability determination part 63 obtains a permission period decided by the permission period decision part 62 for the obtained CAN-ID. The transmittability determination part 63 determines whether or not the message, the transmission of which is detected, is transmitted during the permission period.
  • the condition for determining whether or not the message is transmitted during the permission period may include two such conditions that the transmission of the message is started in the permission period or that the transmission of the message is completed in the permission period. Either one of the conditions may be employed, while the value of the period B may appropriately be set in accordance with the condition to be employed. In the present embodiment, under the condition that the message transmission is completed in the permission period, the transmittability determination part 63 is to determine whether or not the message is transmitted during the permission period.
  • the transmittability determination part 63 determines that this message is an invalid message, and determines that the transmission of the message is not permitted. If the transmittability determination part 63 determines that the transmission of the message is not permitted, the discard processing part 64 in the monitoring device 5 performs processing of causing the ECU 3 connected to the CAN bus to discard the message. The details of the message discard processing will be described later.
  • the transmittability determination part 63 further performs determination on another condition.
  • the transmittability determination part 63 performs determination on the condition related to the arbitration processing and determination on the condition related to the message non-transmission period.
  • FIGS. 7 to 9 are schematic views for illustrating determination on the condition related to arbitration processing, performed by the transmittability determination part 63 .
  • arbitration processing is performed if the transmission of multiple messages are collided against each other, and thus a delay may be caused in the transmission of a message having a low priority level.
  • FIG. 7 illustrates the state where a determination target message has the CAN-ID of 7 , and three messages (messages with the CAN-Ids of 3 , 5 and 2 , respectively) having higher priority levels than the target message are transmitted earlier due to the arbitration processing.
  • the transmittability determination part 63 determines whether or not other message transmission is performed before the transmission of the target message during the permission period of the target message. In the case where other message transmission is performed, the transmittability determination part 63 checks the CAN-ID(s) of one or more other messages that have been transmitted, and compares it/them with the CAN-ID of the target message. According to the CAN protocol, the CAN-ID attached to a message indicates its priority. The smaller the numeric value is, the higher the priority is. The transmittability determination part 63 determines that the target message is a proper one only if either one of the condition 1 or condition 2 as described below is satisfied for all the other messages transmitted previously.
  • Condition 1 The CAN-IDs of other messages are smaller than the CAN-ID of the target message, i.e., all the previous messages have higher levels of priority.
  • Condition 2 Though another message has a priority level lower than that of the target message, the transmission of the message with the low priority level is started before the permission period for the target message is started.
  • the transmittability determination part 63 determines that the target message is an invalid message.
  • FIG. 8 illustrates the state where a determination target message has the CAN-ID of 7 and the messages with the CAN-IDs of 3 , 5 and 9 are transmitted prior to the transmission of the target message.
  • the message with the CAN-ID of 9 has a priority level lower than the target message which has the CAN-ID of 7 .
  • the target message is not delayed to the illustrated timing due to the arbitration processing, but is transmitted at the illustrated timing by an invalid communication device. If the transmittability determination part 63 determines that the target message is an invalid message and is not permitted for the transmission thereof, the discard processing part 64 performs the processing of discarding the message.
  • the condition 2 defines an exception to the condition 1. That is, according to the condition 1, another message preceding to the target message is required to have a priority level higher than that of the target message. Under the condition 2, however, an initially-transmitted message among one or more other messages transmitted during the permission period for messages may have a priority level lower than that of the target message if the initially-transmitted message had already been transmitted before the starting time point of the permission period.
  • FIG. 9 illustrates the state where the message with the CAN-ID of 10 is transmitted before the permission period is started, in addition to the messages illustrated in FIG. 7 .
  • the message with the CAN-ID of 10 has a priority level lower than the target message which has the CAN-ID of 7 . Since the message with the low priority level however is a message started to be transmitted before the permission period for the target message is started, the transmittability determination part 63 permits the transmission of the target message.
  • FIG. 10 is a schematic view for illustrating determination on the condition related to a message non-transmission period, performed by the transmittability determination part 63 .
  • the transmittability determination part 63 inspects whether or not a message non-transmission period during which no message is transmitted onto the CAN bus is present in a period from the scheduled transmission time point t 1 to the transmission of the target message in the permission period for the target message. In the case where the message non-transmission period is present, the transmittability determination part 63 determines whether or not the message non-transmission period exceeds a predetermined length. In the case where more than one message non-transmission periods are present, the transmittability determination part 63 individually compares each of the message non-transmission periods with the predetermined length.
  • the predetermined length for example, a period necessary for transmitting approximately three to ten bits of a message may be set. This is based on, for example, a period of three bits for the inter frame space (IFS), or ten bits including seven bits for the end of frame (EOF) added to IFS. These numeric values are however mere examples, and the predetermined length may be a period other than these.
  • IFS inter frame space
  • EEF end of frame
  • the transmittability determination part 63 determines that the target message is an invalid message and is not permitted for the transmission thereof. If the transmittability determination part 63 determines that the target message is an invalid message and is not permitted for the transmission thereof, the discard processing part 64 performs the processing of discarding the message.
  • the transmittability determination part 63 determines that the target message is a proper message and permits the transmission thereof.
  • the transmittability determination part 63 determines whether or not a delay other than the delay caused by proper arbitration processing occurs in the transmission of this message. That is, the transmittability determination part 63 sets such conditions for permitting transmission of a determination target message, that the message transmitted prior to the target message during the permission period has a high priority level (except for any message started to be transmitted before the permission period), and that a message non-transmission period exceeding a predetermined length is not present in a period from the scheduled transmission time point to the transmission of the target message. The transmittability determination part 63 permits transmission of the target message in the case where both of the conditions are satisfied, while not permitting transmission of the target message in the case where at least one of the conditions is not satisfied.
  • the monitoring device 5 stores in the storage unit 52 the history of messages transmitted onto the CAN bus in order for the transmittability determination part 63 to perform determination on these conditions.
  • the history to be stored includes, for example, information related to the CAN-IDs of the transmitted messages as well as the starting time point or ending time point of transmission.
  • Monitoring of the message transmission by the monitoring device 5 is performed for each CAN-ID. That is, the monitoring device 5 decides a permission period for each CAN-ID, and determines whether or not the message may be transmitted for each CAN-ID.
  • FIG. 7 illustrates an example where the monitoring device 5 performs determination on the message with the CAN-ID of 7 as a target.
  • the monitoring device 5 also determines the transmittability individually for the respective messages with the CAN-IDs of 3 , 5 and 2 .
  • FIGS. 11 and 12 show a flowchart illustrating a procedure of message transmittability determination processing performed by the monitoring device 5 .
  • the variable n used in the present flowchart may be implemented using a register included in the processing unit 51 of the monitoring device 5 or the storage region such as a memory.
  • the processing unit 51 in the monitoring device 5 performs processing of deciding the reference time point t 0 at the reference time point decision part 61 (step S 1 ).
  • the processing unit 51 reads out cycle information 52 b stored in the storage unit 52 (step S 2 ), and obtains the transmission cycle T of a determination target message.
  • the processing unit 51 initializes the value of the variable n to 1 (step S 3 ).
  • the permission period decision part 62 of the processing unit 51 decides a permission period based on the reference time point t 0 decided at step S 1 , the cycle T obtained at step S 2 , predetermined constants A and B, and the variable n (step S 4 ).
  • the permission period may be decided as a period from (t 0 +nT ⁇ A) to (t 0 +nT+B).
  • the transmittability determination part 63 of the processing unit 51 determines whether or not the permission period decided at step S 4 has ended (step S 5 ). If the permission period has not ended (S 5 : NO), the transmittability determination part 63 inspects whether or not message reception on the CAN bus is detected at the CAN communication unit 53 (step S 7 ). If the message reception is not detected (S 7 : NO), the transmittability determination part 63 returns the processing to step S 5 . If the message reception is detected (S 7 : YES), the transmittability determination part 63 checks the CAN-ID of the detected message to determine whether or not this message is a determination target message (step S 8 ).
  • the transmittability determination part 63 records information related to the message (information such as CAN-ID, starting time point and ending time point of transmission) as a history (step S 9 ), and returns the processing to step S 5 . If this message is a determination target message (S 8 : YES), the transmittability determination part 63 determines whether or not the message is transmitted during the permission period (step S 10 ). If the message is not transmitted during the permission period (S 10 : NO), the processing unit 10 performs message discard processing by the discard processing part 64 (step S 11 ), and returns the processing to step S 5 .
  • the transmittability determination part 63 determines the presence or absence of a delay for the message with respect to the scheduled transmission time point tn (step S 12 ). If a delay is absent (S 12 : NO), the transmittability determination part 63 determines that the transmission is permitted because the message is a proper one, and returns the processing to step S 5 without the message discard processing. If a delay of a message with respect to the scheduled transmission time point tn is present (S 12 : YES), the transmittability determination part 63 obtains the history related to message transmission recorded at step S 9 (step S 13 ).
  • the transmittability determination part 63 determines whether or not a message having a priority level lower than that of the target message is transmitted during a period from the scheduled transmission time point tn to the transmission of the target message (step S 14 ). If a message having the low priority level is transmitted (S 14 : YES), the transmittability determination part 63 determines whether or not the transmission of the message having the low priority level had been started before the permission period for the target message (step S 15 ).
  • the transmittability determination part 63 determines the presence or absence of a message non-transmission period exceeding a predetermined length in a period from the scheduled transmission time point to for a determination target message to the completion of the transmission of the message. (step S 16 ). If a message non-transmission period is absent (S 16 : NO), the transmittability determination part 63 determines that the transmission is permitted because the message is a proper one, and returns the processing to step S 5 without the message discard processing.
  • the transmittability determination part 63 determines that the transmission is not permitted because the message is not a proper one, and the discard processing part 64 performs the message discard processing (step S 17 ), and returns the processing to step S 5 .
  • step S 5 If it is determined that the permission period has ended at step S 5 (S 5 : YES), the processing unit 51 adds 1 to the variable n (step S 6 ), returns the processing to step S 4 , and performs monitoring for the next permission period.
  • the monitoring device 5 causes the ECU 3 connected to the CAN bus to perform processing of discarding this message.
  • the message transmitted and received in the communication system according to the present embodiment is in accordance with the CAN protocol, and is configured to include a CAN header, a data field, a cyclic redundancy check (CRC) field, ACK field and end of frame (EOF).
  • the CAN header includes the start of frame (SOF) according to the conventional CAN protocol, an arbitration field, a control field and so forth, and the CAN-ID described above is set on the arbitration field.
  • the CRC field stores therein information for detecting an error.
  • the ACK field is a field for a reception response by the ECU 3 which receives the frame.
  • the EOF is a specific bit sequence indicating the end of the field.
  • the discard processing part 64 in the monitoring device 5 transmits an error frame to the CAN bus during the output period of the EOF in the message.
  • the error frame allows all the ECUs 3 connected to the CAN bus to discard invalid messages while being received.
  • the transmittability determination part 63 in the monitoring device 5 In order to discard the message by this method, it is necessary for the transmittability determination part 63 in the monitoring device 5 to finish determination before the EOF of the message is output to the CAN bus.
  • the transmittability determination part 63 starts the determination processing as described above at the time point when the output of the CAN header of the message onto the CAN bus is finished, and ends the determination before the output of EOF.
  • the transmittability determination part 63 may calculate the transmission ending time point even before the end of the message transmission.
  • the monitoring device 5 may also be configured to store the CAN-ID determined by the transmittability determination part 63 as corresponding to an invalid message, and if the message with the same CAN-ID is output to the CAN bus afterward, the discard processing part 64 may discard the message without determination by the transmittability determination part 63 . Furthermore, the processing of discarding a message by the monitoring device 5 may be performed by various other methods, not limited to the method described above. Moreover, the monitoring device 5 may be configured to perform, if the transmittability determination part 63 determines that a message is invalid, processing other than discarding, such as transmission of an alert message to the ECU 3 , reporting to the user of the vehicle 1 , transmission of information to an external server device, or shutdown of the communication system or the communication network of interest.
  • FIG. 13 is a schematic diagram for illustrating reference time point decision processing performed between an ECU 3 and the monitoring device 5 .
  • the monitoring device 5 in the communication system according to the present embodiment starts the processing of deciding the reference time point by the reference time point decision part 61 of the processing unit 51 .
  • the reference time point decision part 61 in the monitoring device 5 first generates information to be used for calculating a hash value.
  • the reference time point decision part 61 generates a random seed and region specifying information.
  • the reference time point decision part 61 regards the data with a predetermined bit length obtained by generating a random number based on a predetermined algorithm as the random seed.
  • the region specifying information is to specify the region of the ROM 32 to be a target for hash value calculation, and corresponds to information such as, for example, a start address and an end address, or a start address and data size.
  • the reference time point decision part 61 may decide the start address based on a random number, for example, and decide the end address by adding a predetermined number to the start address.
  • the reference time point decision part 61 in the monitoring device 5 transmits the generated random seed and region specifying information to the ECU 3 together with the calculation request for the hash value. Moreover, the reference time point decision part 61 reads out the content stored in the ECU 3 to be processed from the copy data 52 a of the storage unit 52 , and calculates a hash value using the read stored content and the generated random seed as well as region specifying information. The reference time point decision part 61 extracts a portion specified by the region specifying information from the stored content that has been copied, and calculates a hash value by inputting the extracted stored content and random seed into a predetermined hash function. According to the present embodiment, the reference time point decision part 61 is to calculate a hash value of 160 bits using the hash function of SHA-1.
  • the ECU 3 which received the random seed and region specifying information from the monitoring device 5 uses the content stored in its own ROM 32 and the received random seed as well as region specifying information, to calculate a hash value by the hash value calculation part 42 of the processing unit 31 .
  • the hash value calculation part 42 extracts the portion specified by the region specifying information from the ROM 32 , and calculates a hash value by inputting the extracted stored content and the random seed into a predetermined hash function.
  • the monitoring device 5 Since the hash function used by the monitoring device 5 is the same as the hash function used by the ECU 3 , and the content stored in the copy data 52 a by the monitoring device 5 is the same as the content stored in the ROM 32 by the ECU 3 , the monitoring device 5 and ECU 3 are supposed to calculate the same hash value. If the hash values are different, it is possible that the content stored in the ROM 32 of the ECU 3 may have been falsified.
  • the monitoring device 5 and ECU 3 may be configured to calculate a hash value by utilizing an existing hash function, such as Message Digest (MD) 4, MD 5, SHA-1, SHA-256, SHA-384, SHA-512, EIPEMD-160 or SHA-3, for example.
  • MD Message Digest
  • MD5 SHA-1
  • SHA-256 SHA-256
  • SHA-384 SHA-512
  • EIPEMD-160 SHA-3
  • SHA-3 SHA-512
  • EIPEMD-160 SHA-3
  • Each of these is a so-called one-way hash function, which outputs one hash value for the input information.
  • the information to be input into the hash function is a part or whole of the program 32 a or data 32 b stored in the ROM 32 of the EUC 3 in the present embodiment.
  • the hash function may simply treat the input information as binary information and calculate a hash value.
  • the monitoring device 5 and EUC 3 store therein a predetermined hash function, which is used to calculate a hash value.
  • a calculation method will be described below for the case where the monitoring device 5 and ECU 3 calculate a hash value using the hash function of SHA-1.
  • the hash function of SHA-1 As to the detailed processing for the hash function of SHA-1 as well as the case where the monitoring device 5 and ECU 3 use a different hash function, these hash functions are based on the existing technology and thus will not be described.
  • the monitoring device 5 and ECU 3 first perform padding processing.
  • the padding processing the monitoring device 5 and ECU 3 adjust the size of the information to be processed by adding extra data after the input information so as to correspond to an integer multiple of a predetermined value (512 bits).
  • the monitoring device 5 and ECU 3 perform the first processing of dividing the padded information into blocks each having 512 bits and calculating eighty values for each of the blocks.
  • the monitoring device 5 and ECU 3 perform, for the initial value having a predetermined size (160 bits), arithmetic operation using the value calculated by the first processing, and perform the second processing of setting the value of 160 bits obtained after the arithmetic operation as a hash value.
  • the monitoring device 5 and ECU 3 perform arithmetic operation of eighty steps for the initial value of 160 bits, using eighty values calculated for one block.
  • the information of the block may be mixed into the initial value of 160 bits, and the value of 160 bits may be obtained as an output.
  • the monitoring device 5 and ECU 3 set the obtained value of 160 bits as the initial value, to similarly perform arithmetic operation of 80 steps using eighty values calculated for the next block.
  • the monitoring device 5 and ECU 3 perform the processing of 80 steps similarly for all the blocks, and sets the finally-obtained value of 160 bits as the hash value.
  • the monitoring device 5 and ECU 3 it is necessary for the monitoring device 5 and ECU 3 to calculate a hash value using the random seed generated by the monitoring device 5 .
  • the monitoring device 5 and ECU 3 may use the random seed for the data to be added to the input information in the padding processing described above.
  • the monitoring device 5 and ECU 3 may also use the random seed for the initial value of 160 bits, for example, in the second processing described above. It is assumed in the present embodiment that a random seed is used for the initial value in the second processing.
  • the method of utilizing the random seed by the monitoring device 5 and ECU 3 is not limited to the one described above.
  • the monitoring device 5 and ECU 3 may regard a logical operation value (exclusive logical sum or the like) of the random seed and the content stored in the ROM 32 which is a target for hash value calculation as information input into the hash function.
  • the monitoring device 5 and ECU 3 may regard the information including the random seed added to a predetermined position of the header portion, tail portion or the like of the content stored in the ROM 32 which is a target for hash value calculation, as information input into the hash function.
  • the reference time point decision part 61 in the monitoring device 5 After finishing the transmission of the random seed as well as region specifying information to the ECU 3 and the calculation of the hash value, the reference time point decision part 61 in the monitoring device 5 performs processing of extracting a part of the calculated hash value.
  • the reference time point decision part 61 extracts a value of 64 bits from the calculated 160-bit hash value, and sets the extracted value as confirmation information, i.e. information used for confirmation.
  • the reference time point decision part 61 transmits a hash confirmation request including the extracted confirmation information to the ECU 3 of a processing target.
  • the ECU 3 which received the hash confirmation request from the monitoring device 5 obtains confirmation information included in the received hash confirmation request.
  • the processing unit 31 of the ECU 3 compares the confirmation information obtained from the monitoring device 5 with the hash value calculated by the processing unit 31 itself at the hash value calculation part 42 .
  • the processing unit 31 determines whether or not the hash value calculated by the hash value calculation part 42 includes a part of the hash value obtained from the monitoring device 5 as the confirmation information. If it is determined that the hash value for the confirmation information is not included in its own hash value, it is conceivable that the hash value calculated by the ECU 3 does not match the hash value calculated by the monitoring device 5 , and therefore, the processing unit 31 interrupts the processing and sends an error notification to the monitoring device 5 .
  • the hash value calculated by the ECU 3 is regarded as the same value as the hash value calculated by the monitoring device 5 , and the processing unit 31 performs the processing of transmitting a response to the hash confirmation request (hash confirmation response) to the monitoring device 5 .
  • the processing unit 31 extracts, from the hash value of 160 bits calculated by the hash value calculation part 42 , information of 64 bits succeeding the confirmation information sent from the monitoring device 5 , as response information.
  • the processing unit 31 transmits the extracted response information of 64 bits to the monitoring device 5 while including it in the hash confirmation response.
  • the method of extracting the confirmation information and response information from the hash value is not limited thereto.
  • the confirmation information and the response information may overlap with each other in part.
  • the reference time point decision part 61 in the monitoring device 5 which received the hash confirmation response from the ECU 3 obtains response information included in the received hash confirmation response.
  • the reference time point decision part 61 compares the response information obtained from the ECU 3 with the hash value calculated by itself.
  • the reference time point decision part 61 determines whether or not a portion of the hash value calculated by itself excluding the confirmation information includes a part of the hash value obtained as the response information from the ECU 3 .
  • the reference time point decision part 61 interrupts the processing and sends an error notification or the like to the ECU 3 .
  • the reference time point decision part 61 regards the hash value calculated by the monitoring device 5 and the hash value calculated by the ECU 3 as the same value.
  • the reference time point decision part 61 may notify the ECU 3 that determination of the hash value is succeeded.
  • the reference time point decision part 61 decides the time point when the reception of a proper hash confirmation response from the ECU 3 is completed as the reference time point t 0 .
  • the monitoring device 5 decides the scheduled transmission time point and the permission period as described above, and starts monitoring message transmission.
  • the processing unit 31 in the ECU 3 sets the time point when the transmission of a hash confirmation response to the monitoring device 5 is completed, as the reference time point t 0 .
  • the message processing part 41 in the ECU 3 transmits messages at the cycle T with respect to the reference time point t 0 .
  • FIG. 14 is a schematic diagram for illustrating reference time point decision processing performed by the monitoring device 5 with multiple ECUs 3 . While the reference time point decision processing is performed between the monitoring device 5 and three ECUs 3 in the present example, the monitoring device 5 similarly performs the reference time point decision processing also with less than or more than three ECUs 3 .
  • the monitoring device 5 sequentially transmits a hash value calculation request including a random seed and region specifying information to each of the ECUs 3 .
  • a hash value calculation request including a random seed and region specifying information
  • a common value may be used or a different value may be set for each of the ECUs 3 .
  • Each of the ECUs 3 which received the hash value calculation request from the monitoring device 5 individually calculates a hash value based on the content stored in its own ROM 32 .
  • the monitoring device 5 reads out the content stored in each ECU 3 from the copy data 52 a in the storage unit 52 , and calculates a hash value for each ECU 3 .
  • the monitoring device 5 which finished the calculation of the hash value in each ECU 3 transmits a hash value confirmation request to any one of the ECUs 3 , and receives a hash value confirmation response from the ECU 3 .
  • the monitoring device 5 determines whether or not the hash value included in the received hash value confirmation response is a correct one, and if the hash value is correct, decides the time point when the reception of the hash value confirmation response is completed as the reference time point t 0 for this ECU 3 .
  • the monitoring device 5 transmits a hash value confirmation request, receives a hash value confirmation response and decides a reference time point for a different one of the ECUs 3 . Accordingly, the monitoring device 5 sequentially repeats transmission of a hash value confirmation request, reception of a hash value confirmation response and deciding of a reference time point for each of the ECUs 3 included in the communication system. After the reference time points are decided for all the ECUs 3 , the monitoring device 5 starts monitoring the message transmission, and each ECU 3 starts transmission and reception of messages. The monitoring by the monitoring device 5 and the message transmission by the ECUs 3 may be started sequentially from the one with the reference time point decided.
  • FIG. 15 is a flowchart illustrating the procedure of reference time point decision processing performed by the monitoring device 5 .
  • the reference time point decision part 61 in the monitoring device 5 generates a random seed used for hash value calculation and region specifying information which specifies a storage region of the ROM 32 in the ECU 3 of a target for hash value calculation (step S 21 ).
  • the reference time point decision part 61 transmits a hash value calculation request including the generated random seed and region specifying information to the ECU 3 of a processing target through the CAN communication unit 53 (step S 22 ).
  • the reference time point decision part 61 obtains the copy data 52 a of the content stored in the ECU 3 of a processing target from the storage unit 52 , and calculates a hash value using a predetermined hash function based on the obtained copy data 52 a and the random seed as well as region specifying information generated at step S 21 (step S 23 ).
  • the reference time point decision part 61 extracts a portion from the hash value calculated at step S 23 , as confirmation information (step S 24 ).
  • the reference time point decision part 61 transmits a hash confirmation request including the extracted confirmation information to the ECU 3 of a processing target through the CAN communication unit 53 (step S 25 ).
  • the reference time point decision part 61 determines whether or not the hash value confirmation response transmitted by the ECU 3 in response to the hash value confirmation request is received by the CAN communication unit 53 (step S 26 ). If the hash value confirmation response is not received (S 26 : NO), the reference time point decision part 61 determines whether or not an error notification is received from the ECU 3 of the processing target (step S 27 ). If the error notification is not received (S 27 : NO), the reference time point decision part 61 returns the processing to step S 26 , and waits until the hash value confirmation response or error notification is received from the ECU 3 .
  • the reference time point decision part 61 determines whether the response information is correct or not in accordance with whether the response information included in the received hash value confirmation response is included in the hash value calculated at step S 23 (step S 28 ). If the error notification is received from the ECU 3 (S 27 : YES), or if the response information received from the ECU 3 is not correct (S 28 : NO), the reference time point decision part 61 determines that the content stored in the ROM 32 of the target ECU 3 may have been altered, performs appropriate error processing by, for example, stopping the operation of the ECU 3 (step S 29 ), and terminates the processing.
  • the reference time point decision part 61 decides that the time point when the reception of the hash value confirmation response from the ECU 3 is completed is the reference time point (step S 30 ), and terminates the processing.
  • FIG. 16 is a flowchart illustrating a procedure of processing performed by an ECU according to a request for calculating a hash value from the monitoring device 5 .
  • the processing unit 31 of the ECU 3 determines whether or not a hash value calculation request is received at the CAN communication unit 34 from the monitoring device 5 (step S 31 ). If the hash value calculation request is not received (S 31 : NO), the processing unit 31 waits until the hash value calculation request is received. If the hash value calculation request is received (S 31 : YES), the processing unit 31 obtains the random seed and region specifying information included in the received hash value calculation request (step S 32 ).
  • the hash value calculation part 42 of the processing unit 31 calculates a hash value using a predetermined hash function, based on the content stored in the ROM 32 and the random seed as well as region specifying information obtained at step S 32 (step S 33 ).
  • the processing unit 31 stores the calculated hash value in the RAM 33 (step S 34 ), and terminates the processing.
  • FIG. 17 is a flowchart illustrating a procedure of processing performed by the ECU 3 in response to a request for confirming a hash value from the monitoring device 5 .
  • the processing unit 31 of the ECU 3 determines whether or not a hash value confirmation request is received at the CAN communication unit 34 from the monitoring device 5 (step S 41 ). If the hash value confirmation request is not received (S 41 : NO), the processing unit 31 waits until the hash value confirmation request is received. If the hash value confirmation request is received (S 41 : YES), the processing unit 31 reads out the hash value stored in the RAM 33 (step S 42 ).
  • the processing unit 31 determines if the confirmation information is correct or not in accordance with whether the confirmation information included in the hash value confirmation request received at step S 41 is contained in the hash value read out at step S 42 (step S 43 ). If the confirmation information is not correct (S 43 : NO), the processing unit 31 transmits an error notification to the monitoring device 5 (step S 44 ), and terminates the processing.
  • the processing unit 31 extracts a portion with a predetermined length succeeding the confirmation information from the hash value read out at step S 42 , as response information (step S 45 ).
  • the processing unit 31 transmits the hash value confirmation response including the extracted response information to the monitoring device 5 through the CAN communication unit 34 (step S 46 ).
  • the processing unit 31 decides a time point when the transmission of the hash value confirmation response is completed as a reference time point (step S 47 ), and terminates the processing.
  • the timing of the processing is not limited thereto. Moreover, in the case where, for example, a time lag or the like occurs in the timing for transmitting a message by the ECU 3 , or the cycle of message transmission is changed, the processing of re-deciding the reference time point may be performed between the monitoring device 5 and the ECU 3 .
  • the monitoring device 5 may transmit a hash value calculation request and a hash value confirmation request, and in response thereto, the ECU 3 may transmit a hash value confirmation response to re-decide the reference time point. It may also be configured that the ECU 3 transmits a request for performing processing of re-deciding the reference time point to the monitoring device 5 , and in response thereto, the monitoring device 5 starts the processing of deciding the reference time point.
  • the hash value obtained in the processing of deciding the reference time point may be stored, and the ECU 3 may transmit a request for re-deciding the reference time point including this hash value to the monitoring device 5 .
  • the monitoring device 5 which received the re-deciding request sets a time point when the reception of the re-deciding request is completed as a new reference time point if the hash value included in the re-deciding request is correct.
  • the ECU 3 may set the time point when the transmission of the re-deciding request is completed as a new reference time point.
  • the communication system is configured to include multiple ECUs 3 connected to a CAN bus and each of the ECUs periodically transmit messages, and is provided with the monitoring device 5 for detecting invalid message transmission.
  • the monitoring device 5 monitors the CAN bus to detect a message transmitted by the ECU 3 . By determining whether or not the detected message has been transmitted during the permission period, the monitoring device 5 may determine whether or not this message is invalid and determine whether or not transmission of this message is to be permitted.
  • the monitoring device 5 is configured to decide a permission period for subsequent message transmission based on the reference time point t 0 decided at the initial phase, i.e., configured to decide a permission period on an absolute basis.
  • a time point obtained by adding the cycle T to the reception time point of the message is set as a scheduled transmission time point for the reception of each message to decide a permission period, i.e., that the permission period is decided on a relative basis.
  • the arbitration processing is performed if collision occurs in message transmission, and thus a delay may be caused in the transmission of a message having a low priority level.
  • the permission period for determination varies if a delay is caused in message transmission. It is thus necessary to elongate the permission period to some extent, and therefore the permission period cannot easily be shortened. As the permission period is elongated, it is more possible to misjudge the validity of an invalid message.
  • the permission period for the next message may be decided on the basis of the reception of an invalid message. In the case where such a situation occurs, it is possible that invalid messages are sequentially misjudged as valid messages.
  • the monitoring device 5 according to the present embodiment is able to avoid the occurrence of these problems by deciding a permission period on the absolute basis.
  • the monitoring device 5 decides the reference time point t 0 individually for each of the ECUs 3 included in the communication system.
  • the monitoring device 5 decides the scheduled transmission time point to and the permission period with respect to the decided reference time point t 0 for each of the ECUs 3 . Accordingly, even if the communication system includes the ECUs 3 with different transmission cycles T, transmission timings and the like of messages, the monitoring device 5 may determine whether or not message transmission is permitted for each one of the ECUs 3 .
  • an ECU 3 may transmit different types of messages with different transmission cycles, while the monitoring device 5 decides a permission period for each of the CAN-IDs of the messages. This allows the monitoring device 5 to determine the transmittability for each type of the messages even in the case where one ECU 3 transmits messages with different transmission cycles.
  • the reference time point t 0 is decided for each ECU 3 in the present embodiment, it is not limited thereto but the reference time point t 0 may also be decided for each CAN-ID. In such a case, the monitoring device 5 may perform the processing of deciding the reference time point multiple times (i.e., corresponding to the number of CAN-IDs assigned to the ECU 3 ) for one ECU 3 .
  • the arbitration processing is performed if the transmission of multiple messages collide, and thus a delay may be caused in the transmission of a message.
  • the monitoring device 5 inspects whether or not a message has been transmitted in a period from the scheduled transmission time point to for a determination target message to the completion of transmission of the message. In the case where a message has been transmitted, the monitoring device 5 compares the priority level of the target message with the priority level of the transmitted message. If the priority level of the transmitted message is higher than the priority level of the target message, the target message is assumed to be delayed in its transmission due to the arbitration processing. Thus, the monitoring device 5 permits the transmission of the target message.
  • the monitoring device 5 may determine whether or not the message transmission is permitted.
  • the monitoring device 5 determines whether or not a message non-transmission period exceeding a predetermined length is present in a period from the scheduled transmission time point to for the target message to the completion of the transmission of the message. If a message non-transmission period is present, the monitoring device 5 does not permit transmission of the target message, because it is assumed that the delay of the target message is not caused by proper arbitration processing.
  • a predetermined procedure is performed between the monitoring device 5 and the ECU 3 in order to decide the reference time point t 0 .
  • the monitoring device 5 transmits a hash value calculation request to the ECU 3 .
  • the monitoring device 5 sends a random seed and region specifying information necessary for hash value calculation to the ECU 3 .
  • the ECU 3 which received the hash value calculation request from the monitoring device 5 calculates a hash value using a predetermined hash function, based on the random seed as well as region specifying information included in the hash value calculation request and the data stored in the ROM 32 .
  • the ECU 3 transmits the hash value confirmation response including the calculated hash value to the monitoring device 5 in response to the hash value confirmation request from the monitoring device 5 .
  • the monitoring device 5 which received the hash value confirmation response from the ECU 3 determines whether or not the hash value included in the hash value confirmation response is correct. If the received hash value is correct, the monitoring device 5 decides the reference time point t 0 based on the time point when the reception of the hash value confirmation response is completed. For example, the monitoring device 5 sets the time point when the reception of the hash value confirmation or the like is completed as the reference time point t 0 .
  • the reference time point t 0 is not limited thereto, but may be the transmission start point of the hash value confirmation response for example, or may be the time point obtained by adding or subtracting a predetermined period to/from the time point when the reception of the hash value confirmation response is completed, for example.
  • the ECU 3 decides the reference time point t 0 based on the time point when transmission of the hash confirmation response including a correct hash value is completed, and transmits messages at the cycle T with the decided time point set as the reference. Since the reference time point t 0 may be decided on the basis of the transmission and reception of highly reliable information based on a hash value, the monitoring device 5 may perform processing of detecting an invalid message with high reliability.
  • the monitoring device 5 performs the processing of causing the ECU 3 which is to receive the message to discard the message. For example, the monitoring device 5 may transmit an error frame to the CAN bus during the period of outputting the EOF in an invalid message, to cause the ECU 3 to discard the message. This can prevent the ECU 3 from receiving an invalid message and performing processing according to the message.
  • processing of deciding a reference time point the processing of deciding a permission period, the processing of determining the transmittability, the processing of discarding an invalid message and so forth are performed by the processing unit 51 (so-called CPU or the like) of the monitoring device 5 in the present embodiment, it is not limited thereto, but these processing may also be performed by the CAN communication unit 53 (so-called CAN controller or the like).
  • the processing of deciding a reference time point such as the hash value calculation processing for the ECU 3 may be performed by the CAN communication unit 34 , not by the processing unit 31 .
  • the reference time point t 0 is decided by exchanging information using a hash value between the monitoring device 5 and the ECU 3
  • the reference time point t 0 may also be decided by a method not using a hash value.
  • information encrypted using a public key, secret key or the like may be transmitted and received between the monitoring device 5 and the ECU 3 , and the reference time point t 0 may be decided based on the result of the transmission and reception.
  • the monitoring device 5 and the ECU 3 may perform highly reliable communication, to decide the reference time point t 0 based on the result of the communication.
  • the reference time point t 0 may be decided using the time synchronized by this function.
  • the monitoring device 5 is configured to store the copy data 52 a obtained by copying the content stored in the ROM 32 of the ECU 3 in the storage unit 52 , it is not limited thereto.
  • the copy data 52 a may be stored in a different server device or the like, and the monitoring device 5 may obtain the copy data 52 a from the server device as required.
  • the server device may be provided with the hash value calculating function for the monitoring device 5 to obtain a required hash value from the server device.
  • the communication system mounted to the vehicle 1 is not limited to the one mounted to the vehicle 1 but may also be a system mounted to a movable object such as an airplane or a vessel, or may be installed in a factory, an office, a school or the like, not in a movable object.
  • the transmittability determination part 63 determines that the target message is a proper message and permits the transmission thereof.
  • the monitoring device 5 according to Variation Example is configured to add the determination condition of the transmittability determination part 63 to the configuration of the monitoring device 5 as described above.
  • the transmittability determination part 63 in the monitoring device 5 according to the variation example does not permit the subsequent message transmission for all the messages. This allows the monitoring device 5 according to the variation example to prohibit transmission of a message that may be invalid.
  • the monitoring device 5 may be configured, for example, to count the number of arrivals of two or more target messages within the transmission permission period, and if the number exceeds a predetermined number, to prohibit transmission of messages.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
US15/527,826 2014-11-20 2015-11-18 Communication control device and communication system Active 2036-02-26 US10432421B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2014-235782 2014-11-20
JP2014235782 2014-11-20
PCT/JP2015/082349 WO2016080422A1 (ja) 2014-11-20 2015-11-18 通信制御装置及び通信システム

Publications (2)

Publication Number Publication Date
US20170324579A1 US20170324579A1 (en) 2017-11-09
US10432421B2 true US10432421B2 (en) 2019-10-01

Family

ID=56013957

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/527,826 Active 2036-02-26 US10432421B2 (en) 2014-11-20 2015-11-18 Communication control device and communication system

Country Status (5)

Country Link
US (1) US10432421B2 (zh)
JP (1) JP6306206B2 (zh)
CN (1) CN107005447B (zh)
DE (1) DE112015005252T5 (zh)
WO (1) WO2016080422A1 (zh)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6629999B2 (ja) * 2016-04-12 2020-01-15 ガードノックス・サイバー・テクノロジーズ・リミテッドGuardKnox Cyber Technologies Ltd. セキュアロックダウンを実装するように構成された関連装置を有する特別にプログラムされたコンピューティングシステムおよびその使用方法
JP6805667B2 (ja) * 2016-09-15 2020-12-23 住友電気工業株式会社 検知装置、ゲートウェイ装置、検知方法および検知プログラム
JP2018056980A (ja) * 2016-09-27 2018-04-05 富士通株式会社 攻撃検知装置、攻撃検知方法、および、攻撃検知プログラム
JP6798280B2 (ja) * 2016-11-29 2020-12-09 富士通株式会社 攻撃検知装置、攻撃検知方法、および、攻撃検知プログラム
JP7094670B2 (ja) * 2017-07-03 2022-07-04 矢崎総業株式会社 設定装置及びコンピュータ
JP7169340B2 (ja) 2017-07-25 2022-11-10 オーロラ ラブズ リミテッド 車両ecuソフトウェアのためのソフトウェアデルタ更新の構築およびツールチェーンに基づく異常検出
US10630699B2 (en) * 2017-08-14 2020-04-21 Argus Cyber Security Ltd. Automotive cybersecurity
JP7003544B2 (ja) * 2017-09-29 2022-01-20 株式会社デンソー 異常検知装置、異常検知方法、プログラム及び通信システム
CN109696900A (zh) * 2017-10-23 2019-04-30 北京长城华冠汽车科技股份有限公司 一种测试汽车控制器局域网络报文发送周期的系统和方法
US10009325B1 (en) * 2017-12-07 2018-06-26 Karamba Security End-to-end communication security
CN110546921B (zh) * 2018-03-29 2022-10-28 松下电器(美国)知识产权公司 不正当检测方法、不正当检测装置以及程序
CN108833018B (zh) * 2018-04-09 2021-01-22 桂林电子科技大学 一种组网通信系统及方法
US11711384B2 (en) * 2018-08-27 2023-07-25 Lear Corporation Method and system for detecting message injection anomalies
KR20200056192A (ko) * 2018-11-14 2020-05-22 현대자동차주식회사 데이터 통신 시스템과 데이터 통신 방법, 서버, 차량
JP7175858B2 (ja) * 2019-08-07 2022-11-21 株式会社日立製作所 情報処理装置および正規通信判定方法
CN112738151B (zh) * 2019-09-17 2024-05-31 三菱重工业株式会社 传送装置
JP7435616B2 (ja) 2019-09-30 2024-02-21 株式会社オートネットワーク技術研究所 検知装置、車両、検知方法および検知プログラム
JP7396363B2 (ja) * 2019-09-30 2023-12-12 株式会社オートネットワーク技術研究所 検知装置、車両、検知方法および検知プログラム
JP7347141B2 (ja) * 2019-11-13 2023-09-20 株式会社オートネットワーク技術研究所 車載通信装置及び情報置換方法
CN113271612B (zh) * 2020-02-17 2024-04-09 华为技术有限公司 一种随流信息遥测iFIT检测信息的上报方法及装置
US20210312729A1 (en) * 2020-04-01 2021-10-07 Gm Cruise Holdings Llc Distributed autonomous vehicle data logger
CN113923139B (zh) * 2021-12-15 2022-03-01 北京城市轨道交通咨询有限公司 一种评估列控数据通信系统可靠性的方法及装置

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050289648A1 (en) * 2004-06-23 2005-12-29 Steven Grobman Method, apparatus and system for virtualized peer-to-peer proxy services
US20060171362A1 (en) * 2003-03-11 2006-08-03 Koninklijke Philips Electronics N.V. Method for scheduling service periods in a wireless local area network (wlan)
US20070019543A1 (en) * 2005-07-06 2007-01-25 Fortinet, Inc. Systems and methods for detecting and preventing flooding attacks in a network environment
US20080032717A1 (en) * 2004-07-06 2008-02-07 Ntt Docomo, Inc. Message Transmission System and Message Transmission Method
US20110188431A1 (en) * 2008-02-13 2011-08-04 Apple Inc. Momentary Burst Protocol for Wireless Communication
JP2013038711A (ja) 2011-08-10 2013-02-21 Toyota Motor Corp 車両ネットワークの通信管理装置
WO2013094072A1 (ja) 2011-12-22 2013-06-27 トヨタ自動車 株式会社 通信システム及び通信方法
JP2014146868A (ja) 2013-01-28 2014-08-14 Hitachi Automotive Systems Ltd ネットワーク装置およびデータ送受信システム
US20150223069A1 (en) * 2014-02-06 2015-08-06 Verizon Patent And Licensing Inc. Tune control for shared access system
US20160337334A1 (en) * 2014-01-16 2016-11-17 Artz MURR Device, system and method of mobile identity verification

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1592221B (zh) * 2003-09-02 2010-04-28 华为技术有限公司 一种实现网络访问控制的方法

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060171362A1 (en) * 2003-03-11 2006-08-03 Koninklijke Philips Electronics N.V. Method for scheduling service periods in a wireless local area network (wlan)
US20050289648A1 (en) * 2004-06-23 2005-12-29 Steven Grobman Method, apparatus and system for virtualized peer-to-peer proxy services
US20080032717A1 (en) * 2004-07-06 2008-02-07 Ntt Docomo, Inc. Message Transmission System and Message Transmission Method
US20070019543A1 (en) * 2005-07-06 2007-01-25 Fortinet, Inc. Systems and methods for detecting and preventing flooding attacks in a network environment
US20110188431A1 (en) * 2008-02-13 2011-08-04 Apple Inc. Momentary Burst Protocol for Wireless Communication
JP2013038711A (ja) 2011-08-10 2013-02-21 Toyota Motor Corp 車両ネットワークの通信管理装置
WO2013094072A1 (ja) 2011-12-22 2013-06-27 トヨタ自動車 株式会社 通信システム及び通信方法
US20140328352A1 (en) 2011-12-22 2014-11-06 Toyota Jidosha Kabushiki Kaisha Communication system and communication method
JP2014146868A (ja) 2013-01-28 2014-08-14 Hitachi Automotive Systems Ltd ネットワーク装置およびデータ送受信システム
US20150358351A1 (en) 2013-01-28 2015-12-10 Hitachi Automotive Systems, Ltd. Network device, and data sending and receiving system
US20160337334A1 (en) * 2014-01-16 2016-11-17 Artz MURR Device, system and method of mobile identity verification
US20150223069A1 (en) * 2014-02-06 2015-08-06 Verizon Patent And Licensing Inc. Tune control for shared access system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Search Report for International Application No. PCT/JP2015/082349, dated Dec. 28, 2015, 2 pp.

Also Published As

Publication number Publication date
US20170324579A1 (en) 2017-11-09
WO2016080422A1 (ja) 2016-05-26
JPWO2016080422A1 (ja) 2017-08-17
CN107005447B (zh) 2020-09-08
CN107005447A (zh) 2017-08-01
JP6306206B2 (ja) 2018-04-04
DE112015005252T5 (de) 2017-08-10

Similar Documents

Publication Publication Date Title
US10432421B2 (en) Communication control device and communication system
US10491530B2 (en) Communication system and communication device
US10439842B2 (en) Relay device
US11303661B2 (en) System and method for detection and prevention of attacks on in-vehicle networks
US10320640B2 (en) Communication system, abnormality detection device and abnormality detection method
US9225544B2 (en) Communication system and communication method
JP6477281B2 (ja) 車載中継装置、車載通信システム及び中継プログラム
US20180316710A1 (en) Fraudulent message detection device, electronic control apparatus equipped with fraudulent message detection device, fraudulent message detection method, and fraudulent message detection program
US20200021611A1 (en) Fraud detection method, fraud detection device, and recording medium
US20200014758A1 (en) On-board communication device, computer program, and message determination method
US20230229762A1 (en) Anomaly detection device and anomaly detection method
US10838795B2 (en) Monitoring circuit with a signature watchdog
CN108632242B (zh) 通信装置及接收装置
US20150220755A1 (en) Solution for security, safe and time integrity communications in automotive environments
JP2020145547A (ja) 不正送信データ検知装置
JP6528239B2 (ja) 通信装置およびプログラム
CN113273144B (zh) 车载通信系统、车载通信控制装置、车载通信装置、通信控制方法及通信方法
CN111903096B (zh) 通信系统、接收装置、发送间隔变更方法及计算机程序
JP6822090B2 (ja) 通信システム
JP2018011155A (ja) Can通信システム

Legal Events

Date Code Title Description
AS Assignment

Owner name: AUTONETWORKS TECHNOLOGIES, LTD., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TAKADA, HIROAKI;KURACHI, RYO;ADACHI, NAOKI;SIGNING DATES FROM 20170125 TO 20170410;REEL/FRAME:042424/0112

Owner name: SUMITOMO WIRING SYSTEMS, LTD., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TAKADA, HIROAKI;KURACHI, RYO;ADACHI, NAOKI;SIGNING DATES FROM 20170125 TO 20170410;REEL/FRAME:042424/0112

Owner name: SUMITOMO ELECTRIC INDUSTRIES, LTD., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TAKADA, HIROAKI;KURACHI, RYO;ADACHI, NAOKI;SIGNING DATES FROM 20170125 TO 20170410;REEL/FRAME:042424/0112

Owner name: NATIONAL UNIVERSITY CORPORATION NAGOYA UNIVERSITY,

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TAKADA, HIROAKI;KURACHI, RYO;ADACHI, NAOKI;SIGNING DATES FROM 20170125 TO 20170410;REEL/FRAME:042424/0112

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4